SSL certificate status still expired after successful renewal

Help
1

My domain is: datacook.org
https://datacook.org

I ran this command: certbot renew

It produced this output:
root@ip-172-31-37-234:/etc/letsencrypt/renewal# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: datacook.org-0001
Domains: datacook.org
Expiry Date: 2022-07-07 16:19:10+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/datacook.org-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/datacook.org-0001/privkey.pem
Certificate Name: www.datacook.org
Domains: www.datacook.org
Expiry Date: 2022-07-07 16:19:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.datacook.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.datacook.org/privkey.pem

Screen Shot 2022-04-09 at 11.02.32 AM
Screen Shot 2022-04-09 at 11.02.32 AM918×680 145 KB

My web server is (include version): certbot --version
certbot 0.31.0

The operating system my web server runs on is (include version): ubuntu at EC2 AWS

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): YES

I don't know why renewal didn't apply to the site.
Also new keys were generated under datacook.org-0001 not under datacook.org
Can you please help? Thanks.

1 Like
2

Certbot renewed the certificate but the webserver doesn't know that yet.

What's your webserver? How did you install your certificate?

Two certificates for two different hostnames: www and non-www are different.

2 Likes
3

And did you reload the webserver after renewal? Depending on how you're using Certbot, Certbot may or may not have done this for you already.

certbot renew does not generate new certificates, so you must have done something in the past which has generated the -0001 certificate.

Both certificates currently have just a single hostname in them. You could have combined both hostnames in a single certificate earlier when you've generated these certs.

From your certificate history at crt.sh | datacook.org it seems you did have a certificate combining both hostnames in the past up until the end of 2021. But for some reason, on 2021-12-28 a certificate was generated for just datacook.org. You or someone else has managed to generate FIVE identical certificates on that date for some reason, probably running into the duplicate certificates rate limit. And after that a cert with just the www subdomain was generated. And from then on, both certificates seem to have been in use. Although on 2022-01-05 again a duplicate certificate was issued for datacook.org instead of just a single renewal.. Not sure why that happened..

3 Likes
4

yes I did stop and restart the webserver. how can I reload?
and last month, the renewal didn't work so I had to revoke and use 'certbot certonly' to create one again.
What should I do to resolve this issue?

1 Like
5

I meant (not last month), last time in Jan 2022. we need to renew both www and non-www domain's ssh.

1 Like
6

the main webserver is under datacook.org. and looks like www.datacook.org were renewed as well.
and How can I remove -0001 and create keys under domain name? Thanks.

1 Like
7

That gets a certificate but does not install it.

You might want to try with certbot install

2 Likes
8

a) You should have fixed any issue back then, it seems using certonly was just a temporary workaround
b) Revoking is almost NEVER necessary. It is NOT useful when you're having issues with getting a certificate AT ALL... :frowning:

3 Likes
9

Should I remove directories for all related to 'datacook.org-0001'?
or should I keep them and just run 'certbot install'.
Last 12 months I was able to use 'renew' and it had been working.

'renew' has any limit too?

10

Do not remove those directories.

You have two certificates for two different domain names, right now: datacook.org and www.datacook.org.

You need both, or you can get another certificate with both domain names. You have to configure your webserver (apache?) for both names and certbot will pick it up. Otherwise, you have to install both.

2 Likes
11

Thanks for the quick response. 9peppe.
I understood that the certificates are valid for both domains.
The issue is from the webserver? but I didn't change anything on webserver side (node js) and it had been working before the ssh expiration.
I am running out of options to try out.

2 Likes
12

Did you move the certificate to install it?

2 Likes
13

Please show the Node.js configuration for your certificate(s).

3 Likes
14

certbot

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

1: datacook.org

2: www.datacook.org

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel): 2

Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/www.datacook.org.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate

2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Keeping the existing certificate

Problem in /etc/nginx/sites-enabled/default: tried to insert directive "['ssl_certificate', '/var/lib/letsencrypt/snakeoil/0002_cert.pem']" but found conflicting "['ssl_certificate', '/etc/letsencrypt/live/datacook.org/fullchain.pem']".

IMPORTANT NOTES:

- Unable to install the certificate

  • Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/www.datacook.org/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/www.datacook.org/privkey.pem

Your cert will expire on 2022-07-07. To obtain a new or tweaked

version of this certificate in the future, simply run certbot again

with the "certonly" option. To non-interactively renew all of

your certificates, run "certbot renew"

15

Hi, Osiris.

Is that what your are asking about Node.js configuration?

// Make server
var server = new Hapi.Server();

    // NEW HTTPS : Green Lock
    var greenlock = require('greenlock-hapi').create({
            version: 'draft-11' // Let's Encrypt v2
            , server: 'https://acme-v02.api.letsencrypt.org/directory'
            , email: ‘xxxx@datacook.org'
            , agreeTos: true
            , approveDomains:['datacook.org', 'www.datacook.org']  
            
            , communityMember: true

            , configDir: '/etc/letsencrypt'
            , challenges: {
                'http-01': leHttpChallenge                            // handles /.well-known/acme-challege keys and tokens
              }
            , challengeType: 'http-01'                                // default to this challenge type
            , agreeToTerms: leAgree                                   // hook to allow user to view and accept LE TOS
            // debug: true        });
16

The message are conflicting. First, Unable to install the certificate.. Then Congrats, your cerificate ... are saved.?

17

You do realize these are two different acme clients, right?

You only need one.

2 Likes
18

sorry I am not following about your above comment 9peppe. can you explain whare are two difference acme clients?

19

An ACME client is a software you use to interact with Let's Encrypt to ask for and get a certificate.

Both Certbot and greenlock are ACME clients, and you usually only need one of them.

You need to think about how your application is using the certificates and where the config for the TLS server is.

2 Likes
20

I'm confused too.. Are you running a Node.js webserver or nginx?!?

4 Likes